New backdoors in HP server products

HP acknowledged that their StoreVirtual servers may contain undocumented backdoors. Vulnerability can cause unauthorized access to storage systems. The backdoor provides users with the ability to directly access the holy of holies, “LeftHand” (the operating system on the StoreVirtual server). HP has previously sold its StoreVirtual systems on the market as LeftHand (LeftHand Storage) and P4000 SAN storage. The LeftHand operating system was originally called SAN / iQ.

HP's support center emphasizes that, although backdoors provide full access to the server, they do not provide access to user data. By July 17, HP plans to release a “patch” that would remove the backdoor.

The presence of a similar backdoor in HP backup servers was discovered at the end of June. As in the case of StoreOnce systems, this case is associated with undocumented access by administrators. In an emergency, such as resetting the master password if necessary, this gave HP staff the opportunity to offer remote assistance to users. Like StoreOnce, the vulnerability was detected again by security researcher Joshua Small, known by the pseudonym Technion.
')
The backdoor on StoreOnce systems only affected devices whose software was not updated to version 3 (released in November 2012). According to HP, the entire second-generation StoreOnce device can be upgraded to the third-generation StoreOnce, and only the early StorageWorks D2D devices are unable to work on this software. A list of affected systems can be found at the official HP support center .

The storage methods used in StoreOnce 3.x are completely different from those used in previous versions. Therefore, before installing new software, administrators who want to upgrade will need to back up all data and then restore it after installation. Therefore, for many customers, a patch for StoreOnce 2.x, released on July 7th, may be a simpler, short-term solution. Joshua Smalls tested this patch and confirms that it actually deactivates the hidden HPSupport account.

Small single-handedly discovered a security vulnerability due to sheer frustration, also exposing the name of the supporting account and the SHA-1 password hash. Hackers would quickly crack this password, because its length is only 7 characters. Prior to this find, Small spent several weeks in vain trying to arouse HP’s seriousness regarding weak protection. However, before reacting, HP waited until a security vulnerability was discovered.

HP became much more talkative when Small told them about the presence of backdoors on their StoreVirtua servers, so Small refrained from immediate notice. The backdoor for administrators has been part of the LeftHand operating system since at least 2009 . Again, it turns out that the username and password of the account are unchanged.